08/31/2017

Low DMARC Adoption Should Not Be Surprising

by Nigel Johnson

There’s no doubt cyberattacks are increasing the costs of doing business. Companies of all sizes are redirecting IT priorities and budget to evaluate and implement best practices that reduce the opportunity for attack and decrease the costs of a breach. So with all these factors in play, how can it be that so many companies – even the world’s largest with arguably the largest IT budgets – are failing to use the basic authentication standard, DMARC?

Unveiled in 2007 before the eruption of monetized cyberattacks, DMARC (Domain-based Message Authentication, Reporting, and Conformance) provides a global framework to authenticate the source of email and enables companies to reduce phishing and other threats in their top attack vector – email. But based on a recent report by Agari, “92 percent of all Fortune 500 companies have left their customers and business partners unprotected from phishing and other forms of email attacks that impersonate their corporate email domain.” Results among the FTSE 100 and the ASX 100 companies show a similar lack of DMARC use, however it’s unfair to say these companies are leaving their customers unprotected.

On the surface, DMARC is an important standard. It allows senders to tell the world that they are using the security mechanisms SPF (Sender Policy Framework) and DKIM (Domain Keys Identified Mail). If a recipient knows that SPF and DKIM are being used, they can reject all the messages that fail SPF and DKIM tests.
And like most standards, there are benefits and limitations to using DMARC. While DMARC can help to reduce phishing and other email threats, the standard is anything but basic and:

Requires a significant investment: For small- to medium-sized businesses, the setup and management of DMARC can be complicated and require IT expertise that is not easily resourced. For large organizations with multiple email servers, the management of SPF and DKIM is more complicated than simply setting a DNS record and adding a signature.

Can create a significant barrier to email and thus business: If the DMARC standard is in full implementation, companies reject emails that fail SPF and DKIM tests. For large organizations with multiple email servers, or who use email service providers, it becomes difficult to accurately identify all of the mail servers that are authorized to send email. Implementing DMARC means risking the rejection of valid emails, preventing employees from communicating with trusted partners and customers, and disrupting business.

Demands ubiquity to be effective: Email is such an effective communication tool, because it’s an easy tool used by companies globally, no matter the size, no matter the industry. By inserting DMARC into email, it adds a level of burden that most companies aren’t prepared to support, and until every company uses it, the standard cannot deliver its valued promise of reducing threats.

Does not assist with protecting organizations from sophisticated attacks: The source of an email is not the only indicator of malicious intent. There are many content layers of an email that should be analyzed to prevent threats from entering employee inboxes and corrupting your business network. And beyond the content, sophisticated hackers can work through legitimate sources, including by hijacking a trusted partner’s email server without being discovered.

To minimize phishing as well as advancing email cyberattacks, companies should use a combination of best practices, including employee training, efficient system upgrades and use of tools and standards. There is not a one-solution-fits-all nor one solution that solves all. While the DMARC findings of Agari’s study may seem surprising and damaging at first glance, it’s not nearly a full picture of the investment and best practices that the world’s largest companies are likely making.